An exploit that fetched a teenage hacker a $60,000 bounty targeted six different security bugs to break out of the security sandbox fortifying Google's Chrome browser.

The extreme lengths taken in March by a hacker identified only as Pinkie Pie underscore the difficulty of piercing this safety perimeter. Google developers have erected their sandbox to separate Web content from sensitive operating-system functions, such as the ability to read and write files to a hard drive. Such sandboxes are designed to minimize the damage that can be done when attackers identify and exploit buffer overflows and other types of software bugs that inevitably find their way into complex bodies of code.

Pinkie Pie's attack came during Pwnium, a contest that awarded $60,000 prizes to hackers who successfully broke out of the protective barrier by exploiting only vulnerabilities residing in code that is native to the Google browser. The teenager was one of only two contestants to win the top prize. He did it after executing a custom-written Netscape Plugin Application Programming Interface directly on a Dell Inspiron laptop that ran a fully patched version of Chrome on a fully patched version of Microsoft's Windows 7 operating system. Google patched the severest of the vulnerabilities within 24 hours of them being exploited.

According to technical details Google published Tuesday, Pinkie Pie's odyssey began by exploiting a bug in a prerendering engine that helps Chrome work faster by gathering clues about webpages before they're loaded. By combining the attack with a second one that exploited a separate bug, he was able to inject a tiny, eight-byte address into a highly restricted section of the browser that processes commands sent to graphics cards.

By guessing some predictable addresses allocated by Windows, he was able to execute the snippet using a technique known as return-oriented programming, which extracts pieces of code present in executable memory areas and rearranges them to form a malicious payload. Although graphics processes are sandboxed, their restrictions are more permissive than the parts of Chrome that render HTML and Native Client processes. That allowed the hacker to tap Chrome's inter-process communications channel—which allows different parts of the browser to work together—and exploit two additional bugs described here and here. They allowed his code to gain additional privileges so it could access the part of Chrome that runs NPAPI plugins. (Note: To keep similar bugs from being exploited in other programs, Google is delaying the disclosure of some details. Some of these links may not work immediately.)

By exploiting two more bugs here and here, he was finally able to break out of the sandbox. The Dell Inspiron responded by displaying an image of a pink pony wielding a medieval axe, but it could just as easily have loaded a backdoor trojan that gave Pinkie Pie complete control over the machine.

Pinkie Pie speaks

In an e-mail that arrived after this article was published, Pinkie Pie said Google's deep-dive analysis varied widely from the way he thought about the attack when he was fashioning it.

"It's interesting to see the bugs listed this way because when writing the exploit I only counted three bugs, not six," he wrote. "117417, 117715, and 117736 are all hardening measures that enforce security boundaries that don't strictly need to exist, which I guess is a good thing."

He went on to say he wasn't sure if he could break out of Chrome's sandbox a second time.

"Finding vulnerabilities is very luck based, and a new exploit would likely use a totally different code path," he explained. "But keep in mind that to be eligible for the $60,000, I had to use only bugs in Chrome itself, not the operating system, which is a fairly severe restriction compared to a real attack."

He also noted that the successful attack of Sergey Glazunov, the other Pwnium contestant to take home a $60,000 prize, "relied on roughly 10 distinct bugs," according to the Google blog post. An upcoming post will contain the details, Google promised.

The exploit underscores the hacking truism that it can take a single teenager days to break what hundreds of highly paid professionals have spent years to build. While Pinkie Pie's journey was painstaking, he said at the time that it took him only about 10 days to plan and execute it. The episode also explains why Google to date has awarded more than $500,000 to hackers who privately report vulnerabilities in its software and services. Sometimes, the only way to erect an impenetrable castle is to occasionally watch it come crashing down.

Updated to add comments from Pinkie Pie.

Promoted Comments

The skill of this hacker boggles the mind. I have a com sci degree and most of this is still way out of my league. The complexity of this hack both demonstrates the strength of Chrome's security and reinforces the truism that no security is perfect.

How the hell does a teenager learn all this stuff? Mind you, programming is fun but hacking? Sure, the final result IS fun but wading through bits and bytes? Sheesh. I admire this story and this kid. Simply amazing.

Lots of books, lots of random tutorial PDFs translated from Russian, and most importantly, lots and lots of time in OllyDbg. Everyone I know who is like this started as a young teen and was/is obsessed with it.

And in the distant past, SoftICE, and SmartCheck. And the tuts by the masters of the dark art of reverse engineering.

I learned by breaking copy protection on games -- I really really wanted to play the games the cool kids had but I couldn't afford to buy (heart-breaking stuff, I know). You just need the motivation -- it also helps if you like solving problems, which is pretty much all programming is.

Kudos to Google for rewarding people who directly contribute to their product (and help protect Google's brand).

Since 6 bugs are needed to break out of Chrome's sandbox, isn't it unlikely that this attack would have worked in the real world?

Especially if some of the 'bugs' needed specific steps done for them to work? That said, it's good that people are pointing out these bugs to Google and getting them fixed.

Abresh, it sounds like you don't understand how this contest works. Per the rules, entrants took a fully patched machine and pointed it at a booby-trapped website. If the website was able to execute code on the computer using only code native to Chrome, the person won the $60,000 prize.

In other words, Pinkie Pie's attack *did* work in the real world. Make sense?

47 Reader Comments

The skill of this hacker boggles the mind. I have a com sci degree and most of this is still way out of my league. The complexity of this hack both demonstrates the strength of Chrome's security and reinforces the truism that no security is perfect.

Don't feel unusual or unique. I've worked closely with programmers who could parse 10,000 lines of a C++ program they were working up, practically in their heads, but when it came to the operation of their boxes--even just doing general things, or taking shortcuts to get the OS to do something in particular--these same guys were clueless. It was always, "Hey, Walt, gotta' minute?" or "Can you look at this?" etc. This was inside a credit-card software company I once worked for long ago. I became known around there as "the guy who can fix stuff"...! No one was more shocked than I to realize just how specialized programmers are--the common assumption is that if a guy aces a computer science major then he "knows all about computers," and that assumption is dead wrong on many levels. The converse is that a guy who hacks and reverse engineers everything he learns, is also an ace coder--that is also not true in the slightest.

You simply do not need to be formally educated in a computer language or computer theory in order to develop and hone skills relative to hacking a computer environment successfully. In fact, hacking requires an "out of the box" state of mind which formal computer educations do far more to smother--with their long lists of "You cannot do x,x, and x" or "You must not do x, x, and x" and so on. The hacker begins by believing there is essentially nothing he cannot do--eventually, even if not right away. The hacker also has another advantage--he knows that there isn't any such thing as "bug-free" software... Heck, even the chips we use in our hardware have bugs in them--called "errata" in cpus, etc. Everything has bugs--it's just a matter of finding them and figuring out how to use them for your aims.

Also wrong is your assumption about Chrome along security lines. Just like the way in which people evaluate the skill of programmers by the degree(s) they've earned--so are people clueless about "software holes" or "vulnerabilities" in general. Most people assume that a "hole," for instance, is in the singular--that it's "just one place" where you flip a bit and you are magically put in charge of the host machine, and that sort of thing. Not true--and it doesn't matter if it's IE or Chrome or Safari we're talking about. Way back when Netscape was still viable and paying college kids $1k a pop to find holes in its Navigator and Communicator browsers, "holes" were always tricky devils that required a confluence of sometimes very unlikely events to all occur simultaneously *before* the so-called "hole" could be made to manifest and a machine could be commandeered. I remember laughing at some of the "holes" Netscape was paying for, the descriptions of some of which would read like this:

1) User must be on-line, between 9 pm and 12 midnight, at a screen resolution of 1152x864x322) User must be printing a text page via the "Prt Scr" command while he is formatting a floppy disk in drive b:\ via a command prompt3) User must have two open windows on his desktop and two minimized windows4)User must be running [insert browser here] in a third open window5)User must ensure that the browser's email display is set to browser default 6)User must then visit a web site and press a button on screen (for instance "enter")7) At this point, if malicious code exists on the site which is designed to do so, it can enter the system via the default email settings string-bug8) Privileges will be elevated and the machine can be compromised and the end user will not know until the compromise is successful and control is lost

How do you like 'dem apples for a description of your common "security hole"...? Of course the one above is exaggerated deliberately, but I've read hundreds(?--its not good reading so maybe I've read less over the years) of such descriptions and I often have laughed out loud at the absurdity of the amount and kinds of conditions that have be true in order for most so-called "holes" to manifest. The windows--holes--aren't there all the time--and few people realize this. They think of holes as "steady state" as if they are always there--which is most often simply not true. Yet, Netscape was paying people $1k to find and document such demonstrable "holes." If you've ever asked yourself how certain people claim to roam the Internet at will without running an AV/antiMalware program--this is the reason they have lucked out so far--this and the fact that they've kept their OSes and browsers updated, and they've been very picky as to which sites they visit, and *what software they run.*

For instance, over the last year I have picked up two "exploits" and two "Trojans," as Microsoft Security Essentials labels them. The first two I picked up latched on to Java version 31, and so then I installed Java 32, and a couple of months later MSE picked up the two exploits--that also had used Java to get in. Fortunately in both cases I had a fully updated Win7x64 installation, and MSE installed, so the code got in and promptly withered as it simply could not execute--and MSE deleted all of them permanently. I have since uninstalled Java for good (I've always been ambivalent about it, anyway.)

In this case, remember that Pinkie was limited in what he could do:

Quote:

"Finding vulnerabilities is very luck based, and a new exploit would likely use a totally different code path," he explained. "But keep in mind that to be eligible for the $60,000, I had to use only bugs in Chrome itself, not the operating system, which is a fairly severe restriction compared to a real attack."

The thing is--after Pinkie broke out--it was at that point that Google started talking about bugs--specifically three of them that Pinkie never discovered... So...Google didn't even simulate Pinkie's thinking as it thought it had--which points out the differences between the formal vs. the informal education, etc. Advantage: Pinkie...!

Last, there's this eternal debate as to whether a "hole" is "flaw" or a "bug"... I prefer "hole" to "flaw," but like "bug" the best, because that's what these things are, really: unintended results. "Flaw" is just too prejudicial, and implies that an impossibility is true--that some software doesn't have "flaws." Love to see that myself.

Anyway, good advice is to run an AV anti-malware program that you trust, keep your OS and application files updated, and be discriminating about the sites you visit. As Pinkie reminds us, there are a lot more ways to hack into a computer than through the browser, and when hackers hack they have access to everything--not like in this strictly controlled and limited contest Google arranged for PR purposes (that really doesn't mean much on its own.)

Anyway, good advice is to run an AV anti-malware program that you trust, keep your OS and application files updated, and be discriminating about the sites you visit. As Pinkie reminds us, there are a lot more ways to hack into a computer than through the browser, and when hackers hack they have access to everything--not like in this strictly controlled and limited contest Google arranged for PR purposes (that really doesn't mean much on its own.)

This advice is worth following, but it's also important to remember that it does little to protect people against most 0day exploits, or the attacks that recently installed the Flashback malware on more than 500,000 Macs.

Also, how exactly is it that Pinkie Pie has reminded us that there are more ways to hack into a computer than through a browser? He was able to hijack the Dell Inspiron by pointing the Chrome browser to a booby-trapped website. Can you explain what you mean by that comment?

I consider system message pop-ups and opening new browser windows a flaw in Chrome. Disabled it, yet they come occasionally. System message pop-ups are used to install malware. Clicking anywhere triggers the malware.

Another flaw is in Google Image search. In the back of a preview the original page is loaded. Any rogue code on the page is executed. Google is fast to remove such results, but this should not happen. When I was using IE I had Google in my trusted zone. 3rd party pages were loaded as trusted as well. Code is still executed in image search, some pages detect a loop or redirect and reload directly.

My entry to this was about 10 yrs ago. I had a piece of software that required a hardware dongle, and I didn't want to carry it between my work and dorm computer. I was a cs student, and knew basic c. I found the address of the dongle (parallel port), and read it several times while launching the app. I finally found a non-zero value. At that point, I remapped the port with a service, and had it always return the value (and most of that was programs that were already available on the internet as tutorials).

Things havent really changed much. You wouldn't believe how much production code is released that was compiled with debug flags set, or pkg files with 'notes' included. I ran across one a few weeks ago where they left a file that showed how to disable the serial / reg check. Most mistakes are stuff that are known issues / bugs that keep getting repeated for various reasons. Studying what has already been done will give you a way in to most things. You wouldn't believe how many apps still dont sanitize inputs.

The comments about how this illustrates the quality of Chrome's code because of the multiple steps required are totally overlooking a different interpretation: THERE WERE THAT MANY BUGS TO BE FOUND!

Ars writes "this underscores the difficulty..."

It took the attacker ten days to accomplish this. One kid.

Sheesh. No wonder we're toast.

While I share your sentiment (I'm constantly amazed that the Internet works as well as it does), this is very much addressed in the aritcle already -- PP comments "Finding vulnerabilities is very luck based, and a new exploit would likely use a totally different code path" which sums it up nicely.

So to backtrack a bit, we have Google Chrome, one of the biggest and fastest-growing browsers in the world, saying "We'll give you $60,000 if you break it." Then probably several thousand developers start cracking for days or weeks, but only two vulnerabilities found? Don't you think that's absolutely amazing? I've worked in large companies and seen the sheer amount of bugs their software craps out and that there are only two people who managed to crack into Chrome is simply amazing.